1TESTSSL(1) TESTSSL(1)
2
6 testssl
7
9 testssl -- check encryption of SSL/TLS servers
10
12 testssl [OPTIONS] <URI>, testssl [OPTIONS] --file <FILE>
13 or
15 testssl [BANNER OPTIONS]
17
19 testssl is a free command line tool which checks a server´s service on
20 any port for the support of TLS/SSL ciphers, protocols as well as cryp‐
21 tographic flaws and much more.
22 The output rates findings by color (screen) or severity (file output)
24 so that you are able to tell whether something is good or bad. The
25 (screen) output has several sections in which classes of checks are
26 being performed. To ease readability on the screen it aligns and
27 indents the output properly.
28 Only you see the result. You also can use it internally on your LAN.
30 Except DNS lookups or unless you instruct testssl to check for revoca‐
31 tion of certificates it doesn´t use any other hosts or even third par‐
32 ties for any test.
33
35 Testssl.sh is out of the box portable: it runs under any Unix-like
36 stack: Linux, *BSD, MacOS X, WSL=Windows Subsystem for Linux, Cygwin
37 and MSYS2. bash is a prerequisite, also version 3 is still supported.
38 Standard utilities like awk, sed, tr and head are also needed. This can
39 be of a BSD, System 5 or GNU flavor whereas grep from System V is not
40 yet supported.
41 Any OpenSSL or LibreSSL version is needed as a helper. Unlike previous
43 versions of testssl almost every check is done via (TCP) sockets. In
44 addition statically linked OpenSSL binaries for major operating systems
45 are supplied in ./bin/.
46
48 testssl URI as the default invocation does the so-called default run
49 which does a number of checks and puts out the results colorized (ANSI
50 and termcap) on the screen. It does every check listed below except -E
51 which are (order of appearance):
52 0) displays a banner (see below), does a DNS lookup also for further IP
54 addresses and does for the returned IP address a reverse lookup. Last
55 but not least a service check is being done.
56 1) SSL/TLS protocol check
58 2) standard cipher categories to give you upfront an idea for the
60 ciphers supported
61 3) checks (perfect) forward secrecy: ciphers and elliptical curves
63 4) server preferences (server order)
65 5) server defaults (certificate info, TLS extensions, session informa‐
67 tion)
68 6) HTTP header (if HTTP detected or being forced via --assume-http)
70 7) vulnerabilities
72 8) testing each of 370 preconfigured ciphers
74 9) client simulation
76
78 Options are either short or long options. Any long or short option
79 requiring a value can be called with or without an equal sign. E.g.
80 testssl -t=smtp --wide --openssl=/usr/bin/openssl <URI> (short options
81 with equal sign) is equivalent to testssl --starttls smtp --wide
82 --openssl /usr/bin/openssl <URI> (long option without equal sign). Some
83 command line options can also be preset via ENV variables. WIDE=true
84 OPENSSL=/usr/bin/openssl testssl --starttls=smtp <URI> would be the
85 equivalent to the aforementioned examples. Preference has the command
86 line over any environment variables.
87 <URI> or --file <FILE> always needs to be the last parameter.
89 BANNER OPTIONS
91 --help (or no arg) display command line help
92 -b, --banner displays testssl banner, including license, usage condi‐
94 tions, version of testssl, detected openssl version, its path to it, #
95 of ciphers of openssl, its build date and the architecture.
96 -v, --version same as before
98 -V [pattern] , --local [pattern] pretty print all local ciphers sup‐
100 ported by openssl version. If a pattern is supplied it performs a match
101 (ignore case) on any of the strings supplied in the wide output, see
102 below. The pattern will be searched in the any of the columns: hexcode,
103 cipher suite name (OpenSSL or IANA), key exchange, encryption, bits. It
104 does a word pattern match for non-numbers, for number just a normal
105 match applies. Numbers here are defined as [0-9,A-F]. This means
106 (attention: catch) that the pattern CBC is matched as non-word, but AES
107 as word.
108 INPUT PARAMETERS
110 URI can be a hostname, an IPv4 or IPv6 address (restriction see below)
111 or an URL. IPv6 addresses need to be in square brackets. For any given
112 parameter port 443 is assumed unless specified by appending a colon and
113 a port number. The only preceding protocol specifier allowed is https.
114 You need to be aware that checks for an IP address might not hit the
115 vhost you want. DNS resolution (A/AAAA record) is being performed
116 unless you have an /etc/hosts entry for the hostname.
117 --file <fname> or the equivalent -iL <fname> are mass testing options.
119 Per default it implicitly turns on --warnings batch. In its first
120 incarnation the mass testing option reads command lines from fname.
121 fname consists of command lines of testssl, one line per instance. Com‐
122 ments after # are ignored, EOF signals the end of fname any subsequent
123 lines will be ignored too. You can also supply additional options which
124 will be inherited to each child, e.g. When invoking testssl --wide
125 --log --file <fname> . Each single line in fname is parsed upon execu‐
126 tion. If there´s a conflicting option and serial mass testing option is
127 being performed the check will be aborted at the time it occurs and
128 depending on the output option potentially leaving you with an output
129 file without footer. In parallel mode the mileage varies, likely a line
130 won´t be scanned.
131 Alternatively fname can be in nmap´s grep(p)able output format (-oG).
133 Only open ports will be considered. Multiple ports per line are
134 allowed. The ports can be different and will be tested by testssl
135 according to common practice in the internet, i.e. if nmap shows in its
136 output an open port 25, automatically -t smtp will be added before the
137 URI whereas port 465 will be treated as a plain TLS/SSL port, not
138 requiring an STARTTLS SMTP handshake upfront. This is done by an inter‐
139 nal table which correlates nmap´s open port detected to the START‐
140 TLS/plain text decision from testssl.
141 Nmap´s output always returns IP addresses and only if there´s a PTR DNS
143 record available a hostname. As it is not checked by nmap whether the
144 hostname matches the IP (A or AAAA record), testssl does this automati‐
145 cally for you. If the A record of the hostname matches the IP address,
146 the hostname is used and not the IP address. Please keep in mind that
147 checks against an IP address might not hit the vhost you maybe were
148 aiming at and thus it may lead to different results.
149 A typical internal conversion to testssl file format from nmap´s
151 grep(p)able format could look like:
152 10.10.12.16:443
156 10.10.12.16:1443
157 -t smtp host.example.com:25
158 host.example.com:443
159 host.example.com:631
160 -t ftp 10.10.12.11:21
161 10.10.12.11:8443
162 Please note that fname has to be in Unix format. DOS carriage returns
166 won´t be accepted. Instead of the command line switch the environment
167 variable FNAME will be honored too.
168 --mode <serial|parallel>. Mass testing to be done serial (default) or
170 parallel (--parallel is shortcut for the latter, --serial is the oppo‐
171 site option). Per default mass testing is being run in serial mode,
172 i.e. one line after the other is processed and invoked. The variable
173 MASS_TESTING_MODE can be defined to be either equal serial or parallel.
174 --warnings <batch|off>. The warnings parameter determines how testssl
176 will deal with situations where user input normally will be necessary.
177 There are two options. batch doesn´t wait for a confirming keypress
178 when a client- or server-side probem is encountered. As of 3.0 it just
179 then terminates the particular scan. This is automatically chosen for
180 mass testing (--file). off just skips the warning, the confirmation but
181 continues the scan, independent whether it makes sense or not. Please
182 note that there are conflicts where testssl will still ask for confir‐
183 mation which are the ones which otherwise would have a drastic impact
184 on the results. Almost any other decision will be made in the future as
185 a best guess by testssl. The same can be achieved by setting the envi‐
186 ronment variable WARNINGS.
187 --connect-timeout <seconds> This is useful for socket TCP connections
189 to a node. If the node does not complete a TCP handshake (e.g. because
190 it is down or behind a firewall or there´s an IDS or a tarpit) testssl
191 may usually hang for around 2 minutes or even much more. This parameter
192 instructs testssl to wait at most seconds for the handshake to complete
193 before giving up. This option only works if your OS has a timeout
194 binary installed. CONNECT_TIMEOUT is the corresponding environment
195 variable.
196 --openssl-timeout <seconds> This is especially useful for all connects
198 using openssl and practically useful for mass testing. It avoids the
199 openssl connect to hang for ~2 minutes. The expected parameter seconds
200 instructs testssl to wait before the openssl connect will be termi‐
201 nated. The option is only available if your OS has a timeout binary
202 installed. As there are different implementations of timeout: It auto‐
203 matically calls the binary with the right parameters. OPENSSL_TIMEOUT
204 is the equivalent environment variable.
205 --basicauth <user:pass> This can be set to provide HTTP basic auth cre‐
207 dentials which are used during checks for security headers. BASICAUTH
208 is the ENV variable you can use instead.
209 SPECIAL INVOCATIONS
211 -t <protocol>, --starttls <protocol> does a default run against a
212 STARTTLS enabled protocol. protocol must be one of ftp, smtp, pop3,
213 imap, xmpp, telnet, ldap, irc, lmtp, nntp, postgres, mysql. For the
214 latter four you need e.g. the supplied OpenSSL or OpenSSL version
215 1.1.1. Please note: MongoDB doesn´t offer a STARTTLS connection, LDAP
216 currently only works with --ssl-native. telnet and irc is WIP.
217 --xmpphost <jabber_domain> is an additional option for STARTTLS enabled
219 XMPP: It expects the jabber domain as a parameter. This is only needed
220 if the domain is different from the URI supplied.
221 --mx <domain|host> tests all MX records (STARTTLS on port 25) from high
223 to low priority, one after the other.
224 --ip <ip> tests either the supplied IPv4 or IPv6 address instead of
226 resolving host(s) in <URI>. IPv6 addresses need to be supplied in
227 square brackets. --ip=one means: just test the first A record DNS
228 returns (useful for multiple IPs). If -6 and --ip=one was supplied an
229 AAAA record will be picked if available. The --ip option might be also
230 useful if you want to resolve the supplied hostname to a different IP,
231 similar as if you would edit /etc/hosts or /c/Windows/System32/driv‐
232 ers/etc/hosts. --ip=proxy tries a DNS resolution via proxy.
233 --proxy <host>:<port> does ANY check via the specified proxy.
235 --proxy=auto inherits the proxy setting from the environment. The host‐
236 name supplied will be resolved to the first A record. In addition if
237 you want lookups via proxy you can specify DNS_VIA_PROXY=true. OCSP
238 revocation checking (-S --phone-out) is not supported by OpenSSL via
239 proxy. As supplying a proxy is an indicator for port 80 and 443 outgo‐
240 ing being blocked in your network an OCSP revocation check won´t be
241 performed. However if IGN_OCSP_PROXY=true has been supplied it will be
242 tried directly. Authentication to the proxy is not supported. Proxying
243 via IPv6 addresses is not possible, no HTTPS or SOCKS proxy is sup‐
244 ported.
245 -6 does (also) IPv6 checks. Please note that testssl doesn´t perform
247 checks on an IPv6 address automatically, because of two reasons:
248 testssl does no connectivity checks for IPv6 and it cannot determine
249 reliably whether the OpenSSL binary you´re using has IPv6 s_client sup‐
250 port. -6 assumes both is the case. If both conditions are met and you
251 in general prefer to test for IPv6 branches as well you can add
252 HAS_IPv6 to your shell environment. Besides the OpenSSL binary supplied
253 IPv6 is known to work with vanilla OpenSSL >= 1.1.0 and older versions
254 >=1.0.2 in RHEL/CentOS/FC and Gentoo.
255 --ssl-native Instead of using a mixture of bash sockets and a few
257 openssl s_client connects, testssl uses the latter (almost) only. This
258 is faster at the moment but provides less accurate results, especially
259 for the client simulation and for cipher support. For all checks you
260 will see a warning if testssl cannot tell if a particular check cannot
261 be performed. For some checks however you might end up getting false
262 negatives without a warning. This option is only recommended if you
263 prefer speed over accuracy or you know that your target has sufficient
264 overlap with the protocols and cipher provided by your openssl binary.
265 --openssl <path_to_openssl> testssl tries very hard to find automagi‐
267 cally the binary supplied (where the tree of testssl resides, from the
268 directory where testssl has been started from, etc.). If all that
269 doesn´t work it falls back to openssl supplied from the OS ($PATH).
270 With this option you can point testssl to your binary of choice and
271 override any internal magic to find the openssl binary. (Environment
272 preset via OPENSSL=<path_to_openssl>).
273 TUNING OPTIONS
275 --bugs does some workarounds for buggy servers like padding for old F5
276 devices. The option is passed as -bug to openssl when needed, see
277 s_client(1), environment preset via BUGS="-bugs" (1x dash). For the
278 socket part testssl has always workarounds in place to cope with broken
279 server implementations.
280 --assuming-http testssl normally does upfront an application protocol
282 detection. In cases where HTTP cannot be automatically detected you may
283 want to use this option. It enforces testssl not to skip HTTP specific
284 tests (HTTP header) and to run a browser based client simulation.
285 Please note that sometimes also the severity depends on the application
286 protocol, e.g. SHA1 signed certificates, the lack of any SAN matches
287 and some vulnerabilities will be punished harder when checking a web
288 server as opposed to a mail server.
289 -n, --nodns <min|none> tells testssl which DNS lookups should be per‐
291 formed. min uses only forward DNS resolution (A and AAAA record or MX
292 record) and skips CAA lookups and PTR records from the IP address back
293 to a DNS name. none performs no DNS lookups at all. For the latter you
294 either have to supply the IP address as a target, to use --ip or have
295 the IP address in /etc/hosts. The use of the switch is only useful if
296 you either can´t or are not willing to perform DNS lookups. The latter
297 can apply e.g. to some pentests. In general this option could e.g. help
298 you to avoid timeouts by DNS lookups. NODNS is the environment variable
299 for this.
300 --sneaky For HTTP header checks testssl uses normally the server
302 friendly HTTP user agent TLS tester from ${URL}. With this option your
303 traces are less verbose and a Firefox user agent is being used. Be
304 aware that it doesn´t hide your activities. That is just not possible
305 (environment preset via SNEAKY=true).
306 --ids-friendly is a switch which may help to get a scan finished which
308 otherwise would be blocked by a server side IDS. This switch skips
309 tests for the following vulnerabilities: Heartbleed, CCS Injection,
310 Ticketbleed and ROBOT. The environment variable OFFENSIVE set to false
311 will achieve the same result. Please be advised that as an alternative
312 or as a general approach you can try to apply evasion techniques by
313 changing the variables USLEEP_SND and / or USLEEP_REC and maybe
314 MAX_WAITSOCK.
315 --phone-out Checking for revoked certificates via CRL and OCSP is not
317 done per default. This switch instructs testssl to query external -- in
318 a sense of the current run -- URIs. By using this switch you acknowl‐
319 edge that the check might have privacy issues, a download of several
320 megabytes (CRL file) may happen and there may be network connectivity
321 problems while contacting the endpoint which testssl doesn´t handle.
322 PHONE_OUT is the environment variable for this which needs to be set to
323 true if you want this.
324 --add-ca <cafile> enables you to add your own CA(s) for trust chain
326 checks. cafile can be a single path or multiple paths as a comma sepa‐
327 rated list of root CA files. Internally they will be added during run‐
328 time to all CA stores. This is (only) useful for internal hosts whose
329 certificates is issued by internal CAs. Alternatively ADDI‐
330 TIONAL_CA_FILES is the environment variable for this.
331 SINGLE CHECK OPTIONS
333 Any single check switch supplied as an argument prevents testssl from
334 doing a default run. It just takes this and if supplied other options
335 and runs them - in the order they would also appear in the default run.
336 -e, --each-cipher checks each of the (currently configured) 370 ciphers
338 via openssl + sockets remotely on the server and reports back the
339 result in wide mode. If you want to display each cipher tested you need
340 to add --show-each. Per default it lists the following parameters: hex‐
341 code, OpenSSL cipher suite name, key exchange, encryption bits,
342 IANA/RFC cipher suite name. Please note the --mapping parameter changes
343 what cipher suite names you will see here and at which position. Also
344 please note that the bit length for the encryption is shown and not the
345 security length, albeit it´ll be sorted by the latter. For 3DES due to
346 the Meet-in-the-Middle problem the bit size of 168 bits is equivalent
347 to the security size of 112 bits.
348 -E, --cipher-per-proto is similar to -e, --each-cipher. It checks each
350 of the possible ciphers, here: per protocol. If you want to display
351 each cipher tested you need to add --show-each. The output is sorted by
352 security strength, it lists the encryption bits though.
353 -s, --std, --standard tests certain lists of cipher suites by strength.
355 Those lists are (openssl ciphers $LIST, $LIST from below:)
356 · NULL encryption ciphers: ´NULL:eNULL´
358 · Anonymous NULL ciphers: ´aNULL:ADH´
360 · Export ciphers (w/o the preceding ones): ´EXPORT:!ADH:!NULL´
362 · LOW (64 Bit + DES ciphers, without EXPORT ciphers):
364 ´LOW:DES:RC2:RC4:!ADH:!EXP:!NULL:!eNULL´
365 · 3DES + IDEA Ciphers: ´3DES:IDEA:!aNULL:!ADH´
367 · Average grade Ciphers: ´HIGH:MEDIUM:AES:CAMEL‐
369 LIA:ARIA:!IDEA:!CHACHA20:!3DES:!RC2:!RC4:!AESCCM8:!AESCCM:!AES‐
370 GCM:!ARIAGCM:!aNULL´
371 · Strong grade Ciphers (AEAD): ´AESGCM:CHACHA20:CamelliaGCM:AESCCM´
373 -f, --pfs, --fs,--nsa Checks robust (perfect) forward secrecy key
377 exchange. "Robust" means that ciphers having intrinsic severe weak‐
378 nesses like Null Authentication or Encryption, 3DES and RC4 won´t be
379 considered here. There shouldn´t be the wrong impression that a secure
380 key exchange has been taking place and everything is fine when in real‐
381 ity the encryption sucks. Also this section lists the available ellip‐
382 tical curves and Diffie Hellman groups, as well as FFDHE groups (TLS
383 1.2 and TLS 1.3).
384 -p, --protocols checks TLS/SSL protocols SSLv2, SSLv3, TLS 1.0 through
386 TLS 1.3 and for HTTP: SPDY (NPN) and ALPN, a.k.a. HTTP/2. For TLS 1.3
387 several drafts (from 18 on) and final are supported and being tested
388 for.
389 -P, --preference displays the servers preferences: cipher order, with
391 used openssl client: negotiated protocol and cipher. If there´s a
392 cipher order enforced by the server it displays it for each protocol
393 (openssl+sockets). If there´s not, it displays instead which ciphers
394 from the server were picked with each protocol.
395 -S, --server_defaults displays information from the server hello(s):
397 · Available TLS extensions,
399 · TLS ticket + session ID information/capabilities,
401 · session resumption capabilities,
403 · Time skew relative to localhost (most server implementations return
405 random values).
406 · Several certificate information
408 · signature algorithm,
410 · key size,
412 · key usage and extended key usage,
414 · fingerprints and serial
416 · Common Name (CN), Subject Alternative Name (SAN), Issuer,
418 · Trust via hostname + chain of trust against supplied certifi‐
420 cates
421 · EV certificate detection
423 · experimental "eTLS" detection
425 · validity: start + end time, how many days to go (warning for
427 certificate lifetime >=5 years)
428 · revocation info (CRL, OCSP, OCSP stapling + must staple). When
430 --phone-out supplied it checks against the certificate issuer
431 whether the host certificate has been revoked (plain OCSP,
432 CRL).
433 · displaying DNS Certification Authority Authorization resource
435 record
436 · Certificate Transparency info (if provided by server).
438 For the trust chain check 5 certificate stores are provided. If the
445 test against one of the trust stores failed, the one is being identi‐
446 fied and the reason for the failure is displayed - in addition the ones
447 which succeeded are displayed too. You can configure your own CA via
448 ADDITIONAL_CA_FILES, see section FILES below. If the server provides no
449 matching record in Subject Alternative Name (SAN) but in Common Name
450 (CN), it will be indicated as this is deprecated. Also for multiple
451 server certificates are being checked for as well as for the certifi‐
452 cate reply to a non-SNI (Server Name Indication) client hello to the IP
453 address. Regarding the TLS clock skew: it displays the time difference
454 to the client. Only a few TLS stacks nowadays still support this and
455 return the local clock gmt_unix_time, e.g. IIS, openssl < 1.0.1f. In
456 addition to the HTTP date you could e.g. derive that there are differ‐
457 ent hosts where your TLS and your HTTP request ended -- if the time
458 deltas differ significantly.
459 -x <pattern>, --single-cipher <pattern> tests matched pattern of
461 ciphers against a server. Patterns are similar to -V pattern , --local
462 pattern, see above about matching.
463 -h, --header, --headers if the service is HTTP (either by detection or
465 by enforcing via --assume-http. It tests several HTTP headers like
466 · HTTP Strict Transport Security (HSTS)
468 · HTTP Public Key Pinning (HPKP)
470 · Server banner
472 · HTTP date+time
474 · Server banner like Linux or other Unix vendor headers
476 · Application banner (PHP, RoR, OWA, SharePoint, Wordpress, etc)
478 · Reverse proxy headers
480 · Web server modules
482 · IPv4 address in header
484 · Cookie (including Secure/HTTPOnly flags)
486 · Decodes BIG IP F5 non-encrypted cookies
488 · Security headers (X-Frame-Options, X-XSS-Protection, Expect-CT,...
490 , CSP headers). Nonsense is not yet detected here.
491 -c, --client-simulation This simulates a handshake with a number of
495 standard clients so that you can figure out which client cannot or can
496 connect to your site. For the latter case the protocol, cipher and
497 curve is displayed, also if there´s Forward Secrecy. testssl uses a
498 handselected set of clients which are retrieved by the SSLlabs API. The
499 output is aligned in columns when combined with the --wide option. If
500 you want the full nine yards of clients displayed use the environment
501 variable ALL_CLIENTS.
502 -g, --grease checks several server implementation bugs like tolerance
504 to size limitations and GREASE, see https://www.ietf.org/ar‐
505 chive/id/draft-ietf-tls-grease-01.txt . This checks doesn´t run per
506 default.
507 VULNERABILITIES
509 -U, --vulnerable, --vulnerabilities Just tests all (of the following)
510 vulnerabilities. The environment variable VULN_THRESHLD determines
511 after which value a separate headline for each vulnerability is being
512 displayed. Default is 1 which means if you check for two vulnerabili‐
513 ties, only the general headline for vulnerabilities section is dis‐
514 played -- in addition to the vulnerability and the result. Otherwise
515 each vulnerability or vulnerability section gets its own headline in
516 addition to the output of the name of the vulnerabilty and test result.
517 A vulnerability section is comprised of more than one check, e.g. the
518 renegotiation vulnerability check has two checks, so has Logjam.
519 -H, --heartbleed Checks for Heartbleed, a memory leakage in openssl.
521 Unless the server side doesn´t support the heartbeat extension it is
522 likely that this check runs into a timeout. The seconds to wait for a
523 reply can be adjusted with HEARTBLEED_MAX_WAITSOCK. 8 is the default.
524 -I, --ccs, --ccs-injection Checks for CCS Injection which is an openssl
526 vulnerability. Sometimes also here the check needs to wait for a reply.
527 The predefined timeout of 5 seconds can be changed with the environment
528 variable CCS_MAX_WAITSOCK.
529 -T, --ticketbleed Checks for Ticketbleed memory leakage in BigIP load‐
531 balancers.
532 -BB, --robot Checks for vulnerability to ROBOT / (Return Of Bleichen‐
534 bacher´s Oracle Threat) attack.
535 -R, --renegotiation Tests renegotiation vulnerabilities. Currently
537 there´s a check for Secure Renegotiation and for Secure Client-Initi‐
538 ated Renegotiation. Please be aware that vulnerable servers to the lat‐
539 ter can likely be DoSed very easily (HTTP). A check for Insecure
540 Client-Initiated Renegotiation is not yet implemented.
541 -C, --compression, --crime Checks for CRIME (Compression Ratio
543 Info-leak Made Easy) vulnerability in TLS. CRIME in SPDY is not yet
544 being checked for.
545 -B, --breach Checks for BREACH (Browser Reconnaissance and Exfiltration
547 via Adaptive Compression of Hypertext) vulnerability. As for this vul‐
548 nerability HTTP level compression is a prerequisite it´ll be not tested
549 if HTTP cannot be detected or the detection is not enforced via
550 `--assume-http. Please note that only the URL supplied (normally "/" )
551 is being tested.
552 -O, --poodle Tests for SSL POODLE (Padding Oracle On Downgraded Legacy
554 Encryption) vulnerability. It basically checks for the existence of CBC
555 ciphers in SSLv3.
556 -Z, --tls-fallback Checks TLS_FALLBACK_SCSV mitigation. TLS_FALL‐
558 BACK_SCSV is basically a ciphersuite appended to the Client Hello try‐
559 ing to prevent protocol downgrade attacks by a Man in the Middle.
560 -W, --sweet32 Checks for vulnerability to SWEET32 by testing 64 bit
562 block ciphers (3DES, RC2 and IDEA).
563 -F, --freak Checks for FREAK vulnerability (Factoring RSA Export Keys)
565 by testing for EXPORT RSA ciphers
566 -D, --drown Checks for DROWN vulnerability (Decrypting RSA with Obso‐
568 lete and Weakened eNcryption) by checking whether the SSL 2 protocol is
569 available at the target. Please note that if you use the same RSA cer‐
570 tificate elsewhere you might be vulnerable too. testssl doesn´t check
571 for this but provides a helpful link @ censys.io which provides this
572 service.
573 -J, --logjam Checks for LOGJAM vulnerability by checking for DH EXPORT
575 ciphers. It also checks for "common primes" which are preconfigured DH
576 keys. DH keys =< 1024 Bit will be penalized. Also FFDHE groups (TLS
577 1.2) will be displayed here.
578 -A, --beast Checks BEAST vulnerabilities in SSL 3 and TLS 1.0 by test‐
580 ing the usage of CBC ciphers.
581 -L, --lucky13 Checks for LUCKY13 vulnerability. It checks for the pres‐
583 ence of CBC ciphers in TLS versions 1.0 - 1.2.
584 -4, --rc4, --appelbaum Checks which RC4 stream ciphers are being
586 offered.
587 OUTPUT OPTIONS
589 -q, --quiet Normally testssl displays a banner on stdout with several
590 version information, usage rights and a warning. This option suppresses
591 it. Please note that by choosing this option you acknowledge usage
592 terms and the warning normally appearing in the banner.
593 --wide Except the "each cipher output" all tests displays the single
595 cipher name (scheme see below). This option enables testssl to display
596 also for the following sections the same output as for testing each
597 ciphers: BEAST, PFS, RC4. The client simulation has also a wide mode.
598 The difference here is restricted to a column aligned output and a
599 proper headline. The environment variable WIDE can be used instead.
600 --mapping <openssl|iana|no-openssl|no-iana>
602 · openssl: use the OpenSSL cipher suite name as the primary name
604 cipher suite name form (default),
605 · iana: use the IANA cipher suite name as the primary name cipher
607 suite name form.
608 · no-openssl: don´t display the OpenSSL cipher suite name, display
610 IANA names only.
611 · no-iana: don´t display the IANA cipher suite name, display OpenSSL
613 names only.
614 Please note that in testssl 3,0 you can still use rfc instead of iana
618 and no-rfc instead of no-iana but it´ll disappear after 3.0.
619 --show-each This is an option for all wide modes only: it displays all
621 ciphers tested -- not only succeeded ones. SHOW_EACH_C is your friend
622 if you prefer to set this via the shell environment.
623 --color <0|1|2|3> determines the use of colors on the screen and in the
625 log file: 2 is the default and makes use of ANSI and termcap escape
626 codes on your terminal. 1 just uses non-colored mark-up like bold,
627 italics, underline, reverse. 0 means no mark-up at all = no escape
628 codes. This is also what you want when you want a log file without any
629 escape codes. 3 will color ciphers and EC according to an internal (not
630 yet perfect) rating. Setting the environment variable COLOR to the
631 value achieves the same result. Please not that OpenBSD and early Free‐
632 BSD do not support italics.
633 --colorblind Swaps green and blue colors in the output, so that this
635 percentage of folks (up to 8% of males, see
636 https://en.wikipedia.org/wiki/Color_blindness) can distinguish those
637 findings better. COLORBLIND is the according variable if you want to
638 set this in the environment.
639 --debug <0-6> This gives you additional output on the screen (2-6),
641 only useful for debugging. DEBUG is the according environment variable
642 which you can use. There are six levels (0 is the default, thus it has
643 no effect):
644 1. screen output normal but leaves useful debug output in
646 /tmp/testssl.XXXXXX/ . The info about the exact directory is
647 included in the screen output in the end of the run.
648 2. lists more what´s going on, status (high level) and connection
650 errors, a few general debug output
651 3. even slightly more info: hexdumps + other info
653 4. display bytes sent via sockets
655 5. display bytes received via sockets
657 6. whole 9 yards
659 FILE OUTPUT OPTIONS
663 --log, --logging Logs stdout also to ${NODE}-p${port}${YYYYM‐
664 MDD-HHMM}.log in current working directory of the shell. Depending on
665 the color output option (see above) the output file will contain color
666 and other markup escape codes, unless you specify --color 0 too. cat
667 and -- if properly configured less -- will show the output properly
668 formatted on your terminal. The output shows a banner with the almost
669 the same information as on the screen. In addition it shows the command
670 line of the testssl instance. Please note that the resulting log file
671 is formatted according to the width of your screen while running
672 testssl. You can override the width with the environment variable
673 TERM_WIDTH.
674 --logfile <logfile> or -oL <logfile> Instead of the previous option you
676 may want to use this one if you want to log into a directory or if you
677 rather want to specify the log file name yourself. If logfile is a
678 directory the output will put into logfile/${NODE}-p${port}${YYYYM‐
679 MDD-HHMM}.log. If logfile is a file it will use that file name, an
680 absolute path is also permitted here. LOGFILE is the variable you need
681 to set if you prefer to work environment variables instead. Please note
682 that the resulting log file is formatted according to the width of your
683 screen while running testssl. You can override the width with the envi‐
684 ronment variable TERM_WIDTH.
685 --json Logs additionally to JSON file ${NODE}-p${port}${YYYYM‐
687 MDD-HHMM}.json in the current working directory of the shell. The
688 resulting JSON file is opposed to --json-pretty flat -- which means
689 each section is self contained and has an identifier for each single
690 check, the hostname/IP address, the port, severity and the finding. For
691 vulnerabilities it may contain a CVE and CWE entry too. The output
692 doesn´t contain a banner or a footer.
693 --jsonfile <jsonfile> or -oj <jsonfile> Instead of the previous option
695 you may want to use this one if you want to log the JSON out put into a
696 directory or if you rather want to specify the log file name yourself.
697 If jsonfile is a directory the output will put into log‐
698 file/${NODE}-p${port}${YYYYMMDD-HHMM}.json. Ifjsonfile` is a file it
699 will use that file name, an absolute path is also permitted here.
700 --json-pretty Logs additionally to JSON file ${NODE}-p${port}${YYYYM‐
702 MDD-HHMM}.json in the current working directory of the shell. The
703 resulting JSON file is opposed to--json` non-flat -- which means it is
704 structured. The structure contains a header similar to the banner on
705 the screen, including the command line, scan host, openssl binary used,
706 testssl version and epoch of the start time. Then for every test sec‐
707 tion of testssl it contains a separate JSON object/section. Each find‐
708 ing has a key/value pair identifier with the identifier for each single
709 check, the severity and the finding. For vulnerabilities it may contain
710 a CVE and CWE entry too. The footer lists the scan time in seconds.
711 --jsonfile-pretty <jsonfile> or -oJ <jsonfile> Similar to the aforemen‐
713 tioned --jsonfile or --logfile it logs the output in pretty JSON format
714 (see --json-pretty) into a file or a directory. For further explanation
715 see --jsonfile or --logfile.
716 --csv Logs additionally to a CSV file ${NODE}-p${port}${YYYYM‐
718 MDD-HHMM}.csv in the current working directory of the shell. The output
719 contains a header with the keys, the values are the same as in the flat
720 JSON format (identifier for each single check, the hostname/IP address,
721 the port, severity, the finding and for vulnerabilities a CVE and CWE
722 number).
723 --csvfile <csvfile> or -oC <csvfile> Similar to the aforementioned
725 --jsonfile or --logfile it logs the output in CSV format (see --cvs)
726 additionally into a file or a directory. For further explanation see
727 --jsonfile or --logfile.
728 --html Logs additionally to an HTML file ${NODE}-p${port}${YYYYM‐
730 MDD-HHMM}.html in the current working directory of the shell. It con‐
731 tains a 1:1 output of the console. In former versions there was a
732 non-native option to use "aha" (Ansi HTML Adapter:
733 github.com/theZiz/aha) like testssl [options] <URI> | aha >output.html.
734 This is not necessary anymore.
735 --htmlfile <htmlfile> or -oH <htmlfile> Similar to the aforementioned
737 --jsonfile or --logfile it logs the output in HTML format (see --html)
738 additionally into a file or a directory. For further explanation see
739 --jsonfile or --logfile.
740 -oA <filename> / --outFile <filename> Similar to nmap it does a file
742 output to all available file formats: LOG, JSON pretty, CSV, HTML. If
743 the filename supplied is equal auto the filename is automatically gen‐
744 erated using ´${NODE}-p${port}${YYYYMMDD-HHMM}.${EXT}´ with the accord‐
745 ing extension. If a directory is provided all output files will put
746 into <filename>/${NODE}-p${port}${YYYYMMDD-HHMM}.{log,json,csv,html}.
747 -oa <filename> / --outfile <filename> Does the same as the previous
749 option but uses flat JSON instead.
750 --hints This option is not in use yet. This option is meant to give
752 hints how to fix a finding or at least a help to improve something.
753 GIVE_HINTS is the environment variable for this.
754 --severity <severity> For CSV and both JSON outputs this will only add
756 findings to the output file if a severity is equal or higher than the
757 severity value specified. Allowed are <LOW|MEDIUM|HIGH|CRITICAL>. WARN
758 is another level which translates to a client-side scanning error or
759 problem. Thus you will always see them in a file if they occur.
760 --append Normally, if an output file already exists and it has a file
762 size greater zero, testssl will prompt you to manually remove the file
763 exit with an error. --append however will append to this file, without
764 a header. The environment variable APPEND does the same. Be careful
765 using this switch/variable. A complementary option which overwrites an
766 existing file doesn´t exist per design.
767 --outprefix <fname_prefix> Prepend output filename prefix fname_prefix
769 before ´${NODE}-´. You can use as well the environment variable
770 FNAME_PREFIX. Using this any output files will be named <fname_pre‐
771 fix>-${NODE}-p${port}${YYYYMMDD-HHMM}.<format> when no file name of the
772 respective output option was specified. If you do not like the separa‐
773 tor ´-´ you can as well supply a <fname_prefix> ending in ´.´, ´_´ or
774 ´,´. In this case or if you already supplied ´-´ no additional ´-´ will
775 be appended to <fname_prefix>.
776 A few file output options can also be preset via environment variables.
778 COLOR RATINGS
780 Testssl.sh makes use of (the eight) standard terminal colors. The color
781 scheme is as follows:
782 · light red: a critical finding
784 · red: a high finding
786 · brown: a medium finding
788 · yellow: a low finding
790 · green (blue if COLORBLIND is set): something which is either in
792 general a good thing or a negative result of a check which other‐
793 wise results in a high finding
794 · light green (light blue if COLORBLIND is set) : something which is
796 either in general a very good thing or a negative result of a check
797 which otherwise results in a critical finding
798 · no color at places where also a finding can be expected: a finding
800 on an info level
801 · cyan: currently only used for --show-each or an additional hint
803 · magenta: signals a warning condition, e.g. either a local lack of
805 capabilities on the client side or another problem
806 · light magenta: a fatal error which either requires strict consent
808 from the user to continue or a condition which leaves no other
809 choice for testssl to quit
810 What is labeled as "light" above appears as such on the screen but is
814 technically speaking "bold". Besides --color=3 will color ciphers
815 according to an internal and rough rating.
816 Markup (without any color) is used in the following manner:
818 · bold: for the name of the test
820 · underline + bold: for the headline of each test section
822 · underline: for a sub-headline
824 · italics: for strings just reflecting a value read from the server
826 TUNING via ENV variables and more options
830 Except the environment variables mentioned above which can replace com‐
831 mand line options here a some which cannot be set otherwise. Variables
832 used for tuning are preset with reasonable values. There should be no
833 reason to change them unless you use testssl under special conditions.
834 · TERM_WIDTH is a variable which overrides the auto-determined termi‐
836 nal width size. Setting this variable normally only makes sense if
837 you log the output to a file using the --log, --logfile or -oL
838 option.
839 · DEBUG_ALLINONE / SETX: when setting one of those to true testssl
841 falls back to the standard bash behavior, i.e. calling bash -x
842 testssl it displays the bash debugging output not in an external
843 file /tmp/testssl-<XX>.log
844 · DEBUGTIME: Profiling option. When using bash´s debug mode and when
846 this is set to true, it generates a separate text file with epoch
847 times in /tmp/testssl-<XX>.time. They need to be concatenated by
848 paste /tmp/testssl-<XX>.{time,log}
849 · EXPERIMENTAL=true is an option which is sometimes used in the
851 development process to make testing easier. In released versions
852 this has no effect.
853 · ALL_CLIENTS=true runs a client simulation with all (currently 126)
855 clients when testing HTTP.
856 · UNBRACKTD_IPV6: needs to be set to true for some old versions of
858 OpenSSL (like from Gentoo) which don´t support [bracketed] IPv6
859 addresses
860 · NO_ENGINE: if you have problems with garbled output containing the
862 word ´engine´ you might want to set this to true. It forces testssl
863 not try to configure openssl´s engine or a non existing one from
864 libressl
865 · HEADER_MAXSLEEP: To wait how long before killing the process to
867 retrieve a service banner / HTTP header
868 · MAX_WAITSOCK: It instructs testssl to wait until the specified time
870 before declaring a socket connection dead. Don´t change this unless
871 you´re absolutely sure what you´re doing. Value is in seconds.
872 · CCS_MAX_WAITSOCK Is the similar to above but applies only to the
874 CCS handshakes, for both of the two the two CCS payload. Don´t
875 change this unless you´re absolutely sure what you´re doing. Value
876 is in seconds.
877 · HEARTBLEED_MAX_WAITSOCK Is the similar to MAX_WAITSOCK but applies
879 only to the ServerHello after sending the Heartbleed payload. Don´t
880 change this unless you´re absolutely sure what you´re doing. Value
881 is in seconds.
882 · MEASURE_TIME_FILE For seldom cases when you don´t want the scan
884 time to be included in the output you can set this to false.
885 · STARTTLS_SLEEP is per default set to 10 (seconds). That´s the value
887 testssl waits for a string in the STARTTLS handshake before giving
888 up.
889 · MAX_PARALLEL is the maximum number of tests to run in parallel in
891 parallel mass testing mode. The default value of 20 may be made
892 larger on systems with faster processors.
893 · MAX_WAIT_TEST is the maximum time (in seconds) to wait for a single
895 test in parallel mass testing mode to complete. The default is
896 1200.
897 · HSTS_MIN is preset to 179 (days). If you want warnings sooner or
899 later for HTTP Strict Transport Security you can change this.
900 · HPKP_MIN is preset to 30 (days). If you want warnings sooner or
902 later for HTTP Public Key Pinning you can change this
903 · DAYS2WARN1 is the first threshold when you´ll be warning of a cer‐
905 tificate expiration of a host, preset to 60 (days). For Let´s
906 Encrypt this value will be divided internally by 2.
907 · DAYS2WARN2 is the second threshold when you´ll be warning of a cer‐
909 tificate expiration of a host, preset to 30 (days). For Let´s
910 Encrypt this value will be divided internally by 2.
911 · TESTSSL_INSTALL_DIR is the derived installation directory of
913 testssl. Relatively to that the bin and mandatory etc directory
914 will be looked for.
915 · CA_BUNDLES_PATH: If you have an own set of CA bundles or you want
917 to point testssl to a specific location of a CA bundle, you can use
918 this variable to set the directory which testssl will use. Please
919 note that it overrides completely the builtin path of testssl which
920 means that you will only test against the bundles you point to.
921 Also you might want to use ~/utils/create_ca_hashes.sh to create
922 the hashes for HPKP.
923 · MAX_SOCKET_FAIL: A number which tells testssl how often a TCP
925 socket connection may fail before the program gives up and termi‐
926 nates. The default is 2. You can increase it to a higher value if
927 you frequently see a message like Fatal error: repeated openssl
928 s_client connect problem, doesn´t make sense to continue.
929 · MAX_OSSL_FAIL: A number which tells testssl how often an OpenSSL
931 s_client connect may fail before the program gives up and termi‐
932 nates. The default is 2. You can increase it to a higher value if
933 you frequently see a message like Fatal error: repeated TCP connect
934 problems, giving up.
935 · MAX_HEADER_FAIL: A number which tells testssl how often a HTTP GET
937 request over OpenSSL may return an empty file before the program
938 gives up and terminates. The default is 3. Also here you can
939 incerase the threshold when you spot messages like Fatal error:
940 repeated HTTP header connect problems, doesn´t make sense to con‐
941 tinue.
942
946 testssl testssl
947 does a default run on https://testssl (protocols, standard cipher
949 lists, PFS, server preferences, server defaults, vulnerabilities, test‐
950 ing all known 370 ciphers, client simulation.
951 testssl testssl.net:443
955 does the same default run as above with the subtle difference that
959 testssl.net has two IPv4 addresses. Both are tested.
960 testssl --ip=one --wide https://testssl.net:443
964 does the same checks as above, with the difference that one IP address
968 is being picked randomly. Displayed is everything where possible in
969 wide format.
970 testssl -6 https://testssl.net
974 As opposed to the first example it also tests the IPv6 part -- supposed
978 you have an IPv6 network and your openssl supports IPv6 (see above).
979 testssl -t smtp smtp.gmail.com:25
983 Checks are done via a STARTTLS handshake on the plain text port 25. It
987 checks every IP on smtp.gmail.com.
988 testssl --starttls=imap imap.gmx.net:143
992 does the same on the plain text IMAP port.
996 Please note that for plain TLS-encrypted ports you must not specify the
998 protocol option when no STARTTLS handshake is offered: testssl
999 smtp.gmail.com:465 just checks the encryption on the SMTPS port,
1000 testssl imap.gmx.net:993 on the IMAPS port. Also MongoDB which provides
1001 TLS support without STARTTLS can be tested directly.
1002
1004 · RFC 2246: The TLS Protocol Version 1.0
1005 · RFC 2818: HTTP Over TLS
1007 · RFC 2595: Using TLS with IMAP, POP3 and ACAP
1009 · RFC 3207: SMTP Service Extension for Secure SMTP over Transport
1011 Layer Security
1012 · RFC 3501: INTERNET MESSAGE ACCESS PROTOCOL - VERSION 4rev1
1014 · RFC 4346: The Transport Layer Security (TLS) Protocol Version 1.1
1016 · RFC 4366: Transport Layer Security (TLS) Extensions
1018 · RFC 4492: Elliptic Curve Cryptography (ECC) Cipher Suites for
1020 Transport Layer Security (TLS)
1021 · RFC 5077: Transport Layer Security (TLS) Session Resumption
1023 · RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2
1025 · RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
1027 Certificate Revocation List (CRL) Profile
1028 · RFC 5321: Simple Mail Transfer Protocol
1030 · RFC 5746: Transport Layer Security (TLS) Renegotiation Indication
1032 Extension
1033 · RFC 6066: Transport Layer Security (TLS) Extensions: Extension Def‐
1035 initions
1036 · RFC 6101: The Secure Sockets Layer (SSL) Protocol Version 3.0
1038 · RFC 6120: Extensible Messaging and Presence Protocol (XMPP): Core
1040 · RFC 6125: Domain-Based Application Service Identity [..]
1042 · RFC 6797: HTTP Strict Transport Security (HSTS)
1044 · RFC 6961: The Transport Layer Security (TLS) Multiple Certificate
1046 Status Request Extension
1047 · RFC 7469: Public Key Pinning Extension for HTTP (HPKP)
1049 · RFC 7507: TLS Fallback Signaling Cipher Suite Value (SCSV) for Pre‐
1051 venting Protocol Downgrade Attacks
1052 · RFC 7627: Transport Layer Security (TLS) Session Hash and Extended
1054 Master Secret Extension
1055 · RFC 7633: X.509v3 Transport Layer Security (TLS) Feature Extension
1057 · RFC 7465: Prohibiting RC4 Cipher Suites
1059 · RFC 7685: A Transport Layer Security (TLS) ClientHello Padding
1061 Extension
1062 · RFC 7905: ChaCha20-Poly1305 Cipher Suites for Transport Layer Secu‐
1064 rity (TLS)
1065 · RFC 7919: Negotiated Finite Field Diffie-Hellman Ephemeral Parame‐
1067 ters for Transport Layer Security
1068 · RFC 8143: Using Transport Layer Security (TLS) with Network News
1070 Transfer Protocol (NNTP)
1071 · RFC 8446: The Transport Layer Security (TLS) Protocol Version 1.3
1073 · W3C CSP: Content Security Policy Level 1-3
1075 · TLSWG Draft: The Transport Layer Security (TLS) Protocol Version
1077 1.3
1078
1082 · 0 testssl finished successfully without errors and without ambigu‐
1083 ous results
1084 · 1 testssl has encountered exactly one ambiguous situation or an
1086 error during run
1087 · 1+n same as previous. The errors or ambiguous results are added,
1089 also per IP.
1090 · 50-200 reserved for returning a vulnerability scoring for system
1092 monitoring or a CI tools
1093 · 242 (ERR_CHILD) Child received a signal from master
1095 · 244 (ERR_RESOURCE) Resources testssl needs couldn´t be read
1097 · 245 (ERR_CLUELESS) Weird state, either though user options or
1099 testssl
1100 · 246 (ERR_CONNECT) Connectivity problem
1102 · 247 (ERR_DNSLOOKUP) Problem with resolving IP addresses or names
1104 · 248 (ERR_OTHERCLIENT) Other client problem
1106 · 249 (ERR_DNSBIN) Problem with DNS lookup binaries
1108 · 250 (ERR_OSSLBIN) Problem with OpenSSL binary
1110 · 251 (ERR_NOSUPPORT) Feature requested is not supported
1112 · 252 (ERR_FNAMEPARSE) Input file couldn´t be parsed
1114 · 253 (ERR_FCREATE) Output file couldn´t be created
1116 · 254 (ERR_CMDLINE) Cmd line couldn´t be parsed
1118 · 255 (ERR_BASH) Bash version incorrect
1120
1124 etc/*pem are the certificate stores from Apple, Linux, Mozilla Firefox,
1125 Windows and Java.
1126 etc/client-simulation.txt contains client simulation data.
1128 etc/cipher-mapping.txt provides a mandatory file with mapping from
1130 OpenSSL cipher suites names to the ones from IANA / used in the RFCs.
1131 etc/tls_data.txt provides a mandatory file for ciphers (bash sockets)
1133 and key material.
1134
1136 Developed by Dirk Wetter, David Cooper and many others, see CREDITS.md
1137 .
1138
1140 Copyright © 2012 Dirk Wetter. License GPLv2: Free Software Foundation,
1141 Inc. This is free software: you are free to change and redistribute it
1142 under the terms of the license, see LICENSE.
1143 Attribution is important for the future of this project - also in the
1145 internet. Thus if you´re offering a scanner based on testssl.sh as a
1146 public and/or paid service in the internet you are strongly encouraged
1147 to mention to your audience that you´re using this program and where to
1148 get this program from. That helps us to get bugfixes, other feedback
1149 and more contributions.
1150 Usage WITHOUT ANY WARRANTY. USE at your OWN RISK!
1152
1154 All native Windows platforms emulating Linux are known to be slow.
1155
1157 Probably. Current known ones and interface for filing new ones:
1158 https://testssl.sh/bugs/ .
1159
1161 ciphers(1), openssl(1), s_client(1), x509(1), verify(1), ocsp(1),
1162 crl(1), bash(1) and the websites https://testssl.sh/ and
1163 https://github.com/drwetter/testssl.sh/ .
1164 January 2020 TESTSSL(1)